New reporting rule forces data breaches into open

Businesses will be required to report data breaches under Privacy Act amendments passed by Federal Parliament in February 2017, raising the stakes for cyber risk management. Federal agencies, companies and non-profits with an annual turnover of $3 million or more will have to notify the Office of the Australian Information Commissioner of breaches and alert affected individuals. At present organizations are encouraged to notify the office, but there is no legal obligation. Under the rules passed last week, penalties will include fines of up to $360,000 for individuals and up to $1.8 million for organizations. Aon National Practice Leader Cyber Risk Fergus Brooks says the amendments are a “game-changer”.

“These financial implications will require a systematic change of attitude for many organizations, and conversations around cyber risks and data security need to be elevated to boardroom level,” he said.

“The new law will come into effect within a year. However, we recommend that organizations start preparing now.”

Costs arising from breaches can include business interruption, incident response, third party claims, legal costs and damage to data. Barry. Nilsson Lawyers says the Privacy Act amendments signal a new era of transparency and corporate responsibility and bring into focus the regulatory, reputational and other potential costs associated with breaches.

“Mandatory notification will bring our laws into line with those of other first-world countries and drag serious Aussie breach events out of the shadows and into the light of public scrutiny for the very first time,” Insurance and Health Group Special Counsel Megan O’Rourke said.